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Abstract 

In the generalized Russian cards problem, the three players Alice, 
Bob and Cath draw a, b and c cards, respectively, from a deck of 
a + b + c cards. Players only know their own cards and what the 
deck of cards is. Alice and Bob are then required to communicate 
their hand of cards to each other by way of public messages. The 
communication is said to be safe if Cath does not learn the ownership 
of any specific card; in this paper we consider a strengthened notion 
of safety introduced by Swanson and Stinson which we call k-safety. 

An elegant solution by Atkinson views the cards as points in a 
finite projective plane. We propose a general solution in the spirit of 
Atkinson's, although based on finite vector spaces rather than pro- 
jective planes, and call it the 'geometric protocol'. Given arbitrary 
c, k > 0, this protocol gives an informative and fc-safe solution to 
the generalized Russian cards problem for infinitely many values of 
(a, b, c) with b = 0{ac). This improves on the collection of parameters 
for which solutions are known. In particular, it is the first solution 
which guarantees fc-safety when Cath has more than one card. 

*Email: {acordon,hvd,df duque ,f soler}@us . es. Affiliation: University of Sevilla, 
Spain. Affiliation Hans v.D.: LORIA, France, and (as research associate) IMSc, India. 



1 Introduction 



The generalized Russian cards problem [IJ [H] is a family of combinatorial 
puzzles about secure secret-sharing between card players. It is parametrized 
by a triple of natural numbers (a,b,c), which we call its size, and can be 
stated as follows: 

The generalized Russian cards problem 

Alice, Bob and Cath each draw a, b and c cards, respectively, from 
a deck containing a total of a + b + c. All players know which 
cards were in the deck and how many of them the other players 
drew, but may only see the cards in their own hand. 

Alice and Bob want to know exactly which cards the other holds. 
Meanwhile, they do not want for Cath to learn who holds any 
card whatsoever, aside of course from her own cards. 

However, they may only communicate by making true, clear, pub- 
lic announcements, so that Cath can learn all the information that 
they exchange. 

Can Alice and Bob achieve this? 

The solutions to this problem are given by protocols. The eavesdropper Cath 
is able to hear all communications, and Alice and Bob (and Cath) are aware of 
that. In such information-exchanging protocols between Alice and Bob, Cath 
typically acquires quite a bit of data, but not enough to be able to deduce 
any secrets. Many protocols have been proposed [U El E], and cryptography 
based on card deals is also investigated in other settings [TTJ, [12], yet it 
remains unknown exactly for which triples (a, b, c) the problem can be solved. 

The goal of this article is to present a new protocol based on finite linear 
algebra, inspired by a protocol based on projective geometry by Atkinson 
that was reported in [TJ, and that we present in Section [2] This geometric 
protocol solves the generalized Russian cards problem in many instances that 
were previously unsolved. Also, it employs a stronger notion of security than 
is often considered, which we call k-safety and is equivalent to weak k-security 
in Hi]. 

Some general assumptions are needed to make the problem precise, which 
we shall formalize in Section [3j along with the notion of protocol. First, the 
cards are dealt beforehand in a secure phase which we treat as a black box 
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and gives the players no information about others' cards. The agents have 
no communication before this phase and cannot share secrets (such as pri- 
vate keys). Second, the agents have unlimited computational capacity. This 
means, on one hand, that solutions via encryption are not valid, provided 
they are vulnerable to cryptanalysis (regardless of its difficulty). It also 
means that we shall not be concerned with the feasibility of agents' strate- 
gies, although this is certainly an interesting line for future inquiry. Third, 
all strategies are public knowledge, keeping with Kerkhoffs' principle [6]. 

1.1 Known solutions 

Many solutions consist of two announcements. First, Alice announcess of a 
number of possible hands she may hold; then, Bob discloses Cath's cards (or 
other equivalent information). Atkinson's solution is for the case (3, 3, 1) and 
consists of viewing the cards as points in a projective plane, in such a way 
that Alice holds a line. She then announces the seven lines of that plane, 
i.e., seven triples of cards. This protcol is presented in pQ, along with many 
incidental results, and will be discussed further in Section|2j The size (3, 3, 1) 
was first considered by Kirkman [TJ, who suggests a solution using a design, 
a collection of subsets of a given set that satisfies certain regulaties [13] . The 
design consists of seven triples — and accidentally these are the lines that 
form the projective geometric plane. 

A possibly better-known solution for (3, 3, 1) is to number the cards 
0, . . . , 6, after which Alice and Bob announce the sum of their cards modulo 
7 (i.e., modulo the number of cards in the pack). This was the proposed 
solution when the problem appeared in the Moscow Mathematics Olympiad 
in 2000, from which it earned its current name [9]; a very similar approach 
works in any case where Cath holds only one card and a, b > 2 [2j. A pro- 
tocol of three announcements for (4, 4, 2) is reported in [IB] , and a four-step 
protocol for c = 0(a 2 ) and b = 0(c 2 ) is presented in [3]. The last two are 
notable because they provide solutions for c > 1 and neither can be solved 
with two- announcement protocols. 

Stronger notions of security are studied by Swanson and Stinson in [14] . 
There, a distinction is made between weak and perfect security; in perfectly 
secure protocols, Cath does not acquire any probabilistic information about 
the ownership of any specific card. They also introduce k-secure protocols, 
where tuples of at most k cards are considered simultenously. They then 
characterize the perfect (k — l)-secure solutions for sizes (a,b,a — k) and 
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show that k = a — 1 and c = 1. These notions will be revisited in Section [3j 
but we remark that the protocol we shall present is weakly fc-secure. 

1.2 Plan of the paper 

In Section[2]we give an informal description of the protocol. Section [^formal- 
izes our model of security and our notion of protocol, so that in Section [4] we 
may give a rigorous specification. The protocol depends on several param- 
eters and is only executable under certain constraints; Section [5] computes 
solutions to these constraints. 

1.3 Finite geometry 

We assume some basic familiarity with finite fields and finite geometry; these 
are covered in texts such as [8 J and [1], respectively. 

Throughout the paper, p will denote a prime or a power of a prime, and 
F p the field with p elements. If d is any natural number, Fp 1 denotes the 
vector space of dimension d over F p . Given sets U, V C F^ we write (U) for 
the span of U (i.e., the set of all linear combinations of elements of U), and 
we write U + V for the set {u + v : u G U and v G V}. We may write x + V 
instead of {xj + V^, and similarly (x, U) instead of {{x}L)U). By a hyperplane 
we mean any set of the form x + V where V is a subspace of dimension d — 1, 
and two hyperplanes X, Y are parallel if X ^ Y but there is a vector x such 
that X = x + Y. 

Recall that |F^| = p d , where \X\ denotes the cardinality of X. Moreover, 
if U 7^ V are hyperplanes, then U has exactly p d ~ x elements, while |Z7D V| < 
p d ~ 2 . Parallel hyperplanes have empty intersection. 

2 Motivating examples 

Let us begin by presenting Atkinson's solution for the case (3,3, 1). In this 
setting, Alice and Bob each draw three cards from a deck of seven cards, 
while Cath gets the remaining card. The claim is that Alice and Bob can 
communicate their cards to each other by way of public announcements, 
without informing Cath of any of their cards. First, Alice announces that 
her hand is a line in a projective plane consisting of seven points (cards). Or, 
to be precise, Alice assigns a point in the projective plane to each card in 
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such a way that her own hand forms a line, and then announces "The hand 
I hold is one of the following. . . ," after which she proceeds to list every set 
of cards which corresponds to a line. Then, to conclude the protocol, Bob 
announces Cath's card. 
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Figure 1: Alice holds a line in the 7-point projective plane 

Why does this work? Suppose that the cards are numbered 0, 1, ... ,6, 
that Alice holds the cards 0, 1 and 2, Bob holds 3, 4, and 5, and therefore 
Cath holds 6. Alice announces: "My cards form a line in the projective 
plane whose lines are 012, 034, 056, 135, 146, 236, and 245." (See Figure [l)) 
Bob then announces: "Cath holds 6." After Alice's announcement, Cath, 
who holds card 6, can eliminate from the seven triples the ones containing 6: 
056, 146, and 236. The remaining hands are: 012, 034, 135 and 245. Cath 
therefore cannot deduce that Alice has 0, because 135 is a possible hand of 
Alice. She also cannot deduce that Alice does not have 0, because Alice's 
actual hand 012 is also a possible hand. And so on, for all possible cards 
of Alice. Also — and this is important — for any other deal of cards in which 
Alice can truthfully make this announcement we can repeat this exercise, 
e.g., also when Alice holds 012 and Cath 4, also when Alice holds 135 and 
Cath 0, and so on. 

Meanwhile, Bob learns Alice's cards from her announcement, because all 
but 012 contain either a 3, a 4, or a 5. Again, we have to do this for all 
card triples xyz, not just for Bob's actual hand 345, and also for all seven 
possible hands of Alice and all hands Bob can have in that case. After Alice's 
announcement Bob therefore always knows Cath's card and can announce it, 
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from which Alice also learns the entire deal of cards. 

Let us give an informal account of the geometric protocol to motivate the 
formal description later. It is similar to Atkinson's, but there are three main 
differences: 

1. Projective spaces are replaced by vector spaces; in fact, the original pro- 
tocol is not dependent on any particular property of projective spaces 
that they do not share with vector spaces. 

2. Rather than considering exclusively planes, we work over spaces of 
arbitrary dimension, so that in general Alice arranges her cards on a 
hyperplane. 

3. Alice may have more cards than fit on a single hyperplane. Thus she 
shall arrange her cards on several parallel hyperplanes. 

The protocol works as follows. Fix a size (a, b, c) such that there are 
integers d, k > and a prime power p with a = kp d and a + b + c = p d+1 . 
Suppose that (A, B, C) has been dealt, and that D = A U B U C. Alice 
chooses a map / : D — > F^ 4 " 1 , such that A is the disjoint union of k parallel 
hyperplanes. Then, she announces the set A of all hands X with a elements 
such that f(X) has this form; in other words: such that X maps to the 
disjoint union of k parallel hyperplanes. 

In Section |4| in Definition |3.1[ we shall give a more rigorous definition 
of this protocol, and we then also show this protocol to be fc-safe, provided 
the parameters satisfy certain constraints; fc-safe means that for any k cards 
not held by Cath, she cannot learn whether Alice all holds them (i.e., if she 
holds all those cards or does not hold some of them). In that sense, the above 
projective plane solution for (3, 3, 1) is 1-safe. 

But first, let us focus on a specific instance to see the protocol in action. 
Consider a card deal of size (8,6,2), so that there are 16 cards, of which 
Alice holds eight, Bob six and Cath two. For this example we will work 
over F 2 ; note that the field F4 has elements {0, 1, a, a 2 } where a is a root of 
x 2 + x + 1. In order to execute the geometric protocol, Alice first announces 
that her cards are two parallel lines in F 2 ; after this, Bob informs Alice of 
Cath's cards. 

Let us see why this protocol works. The deck D may be any set with 16 
elements. The only thing that matters is a bijection /:£)—>■ F 2 , where we 
represent F 2 as {(i, j) \ i, j G {0, 1, a, a 2 }}. 
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a' m O ■ O 

aM o ■ O 

1 ■ A ■ A 

OB O ■ O 

1 a a' 



a 2 O O O 

am m m m 

1 O A O A 

OB B B B 

1 a a 2 

Figure 2: Card deals in F 2 



a' m O B O 

am o m a 

IB O B A 

OB O B A 

1 a a 2 



Why does this bijection inform Bob of Alice's cards? Consider the con- 
figuration in Figure |2] (left), where Alice's cards are represented as ■. Bob's 
as O and Cath's as A. This two-dimensional plane F4 consists of 20 lines 
(hyperplanes) , such as the four horizontal and the four vertical lines in the 
figure. The other three foursomes are somewhat less obvious to visualize 
based on this representation; for example, the line x = y is given by the 
set L = {(0, 0), (1, 1), (a, a), (a 2 , a 2 )}, whereas the parallel line (0, a 2 ) + L 
is given by {(0, a 2 ), (1, a), (a, 1), (a 2 , 0)}. Just as for (3, 3, 1) and the seven- 
point projective plane, Alice's announcement rules out some possibilities for 
her hand, as not every set of eight points includes two parallel lines. 

Alice's announcement is sufficient for Bob to determine Alice's hand. 
Suppose that A, B, C are the sets of cards that Alice, Bob and Cath hold, 
respectively. Then, A U C contains ten points, and thus cannot contain two 
different pairs of parallel lines, as the minimum set to contain different pairs 
of parellel lines is twelve points. In Figure [2] (left), AUC contains three lines, 
namely the two verticals and the one horizontal, but only one pair of parallel 
lines. More generally, one can check no set of ten points contains two distinct 
pairs of parallel lines. 

On the other hand, it is not merely the case that Cath, who holds points 
(cards) (1, 1) and (a 2 , 1), cannot determine the ownership of a single card not 
in her possession, but it is even the case that for every pair {x, y} of points, 
Cath considers it possible that {x, y} C A and that {x, y} (£ A. In other 
words, the protocol is 2-safe; for example, consider the pair {(a 2 , 0), (a 2 , a)}. 
In Figure [2] (left) these cards are held by Bob, but in Figure [2] (center) these 
cards are held by Alice. From Cath's perspective, the card deal (A', B', C) 
depicted in the center, where {(a 2 , 0), (a 2 , a)} C A ; , is indistinguishable from 
the card deal (A, B, C) on the left, where {(a 2 , 0), (a 2 , a)} ^ A, even though 
{(a 2 ,0), (a 2 , a)} fl A = 0. This can be verified systematically for all pairs 
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and indeed Cath cannot learn any of Alice's cards, or even predict that Alice 
holds a card from any given pair. 

However, if Cath has three cards then she may learn some of Alice's cards. 
Consider Figure [2] (right). Cath learns that the point (a 2 , a 2 ) belongs to Bob, 
as there is no pair of parallel lines in A U B such that one of them contains 
(a 2 , a 2 ), for any such pair of lines would cross the line x = a 2 in two different 
points, and Cath would hold one of them. If she has even more than three 
cards this only gets worse; indeed, it is known that no two-step protocol can 
be safe and informative when Cath holds as many as or more cards than 

Aiicflni. 

3 Protocols and safety 

Before we continue let us present the notions of protocol, informativity and 
safety we shall use. Throughout this paper, we will assume that D is a fixed, 
finite set of "cards". A card deal is a partition (A, B, C) of D; the deal has 
size (a,b,c) if A is an a-set, B a 6-set and C a c-set, where by "x-set" we 
mean a set of cardinality x. We denote the set of x-subsets of Y by (^). 
We think of A as the hand of Alice, or that Alice holds A; similarly, B and 
C are the hands of Bob and Cath, respectively. In general we may simply 
assume that D = {l,...,a + 6 + c}, and define Deal (a, b, c) to be the set of 
partitions of D of size (a,b,c). In [H] and other papers, an announcement 
has been modelled as a set of hands that one of the agents may hold. Thus 
Alice would announce a subset A of (), indicating that A G A, and we 
follow this presentation. 

A characteristic assumption of the problem is that there is a secure deal- 
ing phase in which the players learn no information about others' cards, 
encrypted or otherwise. At the beginning of the protocol, players have knowl- 
edge of their own cards, the cards contained in D, and of the size (a, b, c) of 
the deal, but nothing more. Thus they are not able to distinguish between 
different deals where they hold the same hand. We model this by equivalence 
relations between deals; since from Alice's perspective, (A, B, C) is indistin- 
guishable from (A, B', C), we define (A, B, C) A ~ e (A', B', C) if and only if 
A = A'. We may define analogous equivalence relations for Bob and Cath. 

■"■Note however that this restriction may be circumvented by using protocols of more 
than two steps [3]- 
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Strategies of length two are defined in [H]. These assign a probability 
distribution to Alice's possible announcements. If the probability distribution 
is uniform these are called equitable strategies. We will work exclusively 
with equitable strategies, and simply call them protocols. Since probability 
is distributed evenly among the possible outcomes, we may dispense with 
probability measures and merely specify a set of possible announcements. 

Definition 3.1 (Protocol). Fix a size (a,b,c) and let D = {1, . . . , a + fe + c}. 
A protocol (for (a, 6, c)) is a function it assigning to each A G ( D ) a non- 
empty set it (A) C V (( )) with the property that A G P| tt (A) . 

Protocols are non-deterministic in principle; Alice may announce any A G 
ir (A). Meanwhile, a successful protocol must have two additional properties. 
The first is that Alice and Bob know each other's cards (and hence the entire 
deal) after its execution. Note that it is sufficient for Bob to learn the deal 
since, once Bob knows Alice's hand, he also knows Cath's and may proceed 
to announce C. Because of this, the protocols we present are in principle 
two-step protocols, even though we only focus on Alice's announcement and 
leave Bob's second announcement implicit. 

Definition 3.2 (Informativity). Given a deal (A, B, C), an announcement A 
is informative for (A, B, C) if there is only one X G A such that I C AUC. 

A protocol for (a, b, c) is informative if for every (A, B, C) G Deal(a, b, c), 
every A G tt(A) is informative for (A, B, C)P] 

The second property we desire from a protocol is that Cath does not gain 
"too much information" . How much is too much depends on a parameter we 
shall usually call k and states that, given X G (^), it is possible from Cath's 
perspective that ICi and also possible that X (£ A. This is the notion of 
weak k-security from [H]; we simply call it k-safety. 

Definition 3.3 (A;-Safety). Given a protocol it for (a, 6, c) and A G (®), an 
announcement A G tt(A) is k-s&fe if for every deal (A, B, C) and every non- 
empty set X with at most k elements such that X fl C = there is a deal 

2 Our presentation follows that given in |14j . Compare to |15l fT]. where informative for 
(^4, -B,C) is defined as follows: Given a deal (A,B,C), an announcement A containing 
A is informative for (A,B,C) if for any A' £ A and any (A',B',C), there is only one 
X E A such that X C A' U C . In principle this is stronger than the definition we give; 
however, this is remedied by the more general condition of being informative for (a, b, c). 
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(A',B',C) such that X C A' and A G tt(A'), as well as a deal (A",B",C) 
such that X £ A" e A. 

The protocol it is k-safe if every A G ft (A) is k-safe. 

A stronger notion of security is also discussed in [Hj. Let us use Pr(- 1 -) 
to denote conditional probability. Weak k -security is equivalent to the state- 
ment that, given a non-empty set X with at most k cards such that X fl C = 

0, 

< Pr(X C A\A,C) < 1. 

This probability may, however, be very small or very large. A stronger notion 
of security would demand that Cath does not gain probabilistic information 
from the protocol, so that 

Pr(X C A\A,C) = Pr(X C A\C). 

This is called perfect k-security and is similar to the combinatorial axiom 
CA4 in [?]. The protocols we shall present are not perfectly secure, but they 
are weakly fc-secure for some fixed value of k. 



4 The geometric protocol 

Here we shall give a formal definition of our protocol in the sense of Definition 



3 . 1 1 and prove that it indeed provides a fc-safe solution to the generalized 
Russian cards problem. 

The protocol is based on slicings: 

Definition 4.1 (Slicing). Let p be a prime power and k,d positive integers. 
Say a set X C ¥ d+1 is a A;-slicing if there are a d- dimensional subspace V 

and xi, ■ ■ ■ , Xk G Fp +1 such that X = Ui=i( x i + V) and Xi — Xj G V if and 
only if i = j . 

In other words, a A;-slicing is a union of k parallel hyperplanes. Note that 
fc-slicings have exactly kp d elements. 

Definition 4.2 (The geometric protocol). Fix a size (a,b,c) such that there 
are integers d, k and a prime power p with a = kp d and a + b + c = p d+1 . For 
a bisection F^ +1 ; define A\\f\ to be the set of all X C D such that 

f(X) is a k-slicing. 
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We then define the geometric protocol 7 for (a,b,c) (with parameters 
p,d,k) to be given by A £ j(A) if and only if A £ A and A = Ak[f] for 
some bisection f : D — > ¥ d+1 . 

Our main objective is to show that the geometric protocol provides a k- 
safe and informative solution to the generalized Russian cards problem, but 
this requires for the parameters to satisfy certain conditions. Although we 
defer the proof, let us state our main theorem now: 

Theorem 4.1. Assume that a,b,c,p,d,k are such that p is a prime power, 
a = kp d , a + b + c = p d+1 and 

c<kp d -k 2 p d ~\ (1) 
max{c + k, ck} < p. (2) 

Then, the geometric protocol with parameters p, d, k is k-safe and infor- 
mative for (a, b, c). 

Before we give a proof, we need to give some preliminary results. These 
will also help elucidate the purpose of Q and §2§. Note that max{c + 
k,ck} is usually equal to ck except when either k or c is equal to one. We 



remark that the bounds given by Theorem |4.1| are sufficient but not necessary; 
for example, the assiduous reader will verify that the protocol is 2-safe for 
(10, 12, 3), yet the bounds we give are not satisfied. 

Let us begin with a combinatorial lemma about slicings. 

Lemma 4.1. Let p be a prime power and k £ [l,p — 1]. If X, Y C ¥ d+1 are 
two distinct k-slicings then 

\X U Y I > min{(A; + l)p d , 2kp d - tfp^ 1 }. 

Proof. Write X = \J. =1 Ui and Y = \J i=1 W t as disjoint unions of parallel 
hyperplanes. It may be that for certain values of i,j we have that Ui = Wj. 
If this is the case, since I^F there must be some U = U t such that U 7^ Wj 
for any j. Then, since U is parallel to all Wi, we have that U, W\, . . . , W^ are 
mutually disjoint and hence 



(k + l)p d = Uu\JWi <|XUF| 



i<k 
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Now assume this is not the case, so that Ui 7^ Wj for any i,j < k. Then, 
if i,j<k we have \Ui D WA < so that 



\XUY\ 



\JUi\j\JWt 



1=1 

A' 



1=1 



1=1 



1=1 



The result follows. 



□ 



Lemma 4.2. Assume that a,b,c,p,d,k are such that p is a prime power, 



kp , a + b + c = p 



d+l 



and 



c < min{p , kp - k p }. 



Then, the geometric protocol with parameters p, d, k is informative for 
(a,b,c). 

Proof. We must show that, given a deal (A,B,C) and a bijection / : D — > 
Fp +1 , there can be only one X G -4fe[/] with X C AU C. More generally, we 
claim that there may only be one fc-slicing contained in any set E C Fp +1 
with at most a+c points; for indeed, by Lemma 4.1 , if E contains two distinct 
/c-slicings then 

\E\ > kp d + min{p d , kp d - k 2 p d ~ 1 } > a + c. 

But this contradicts the assumption that \E\ = a + c, and we conclude that 
E contains only one fc-slicing, as claimed. □ 

Now let us turn to fc-safety. Once again we begin with purely combina- 
torial preliminaries. The following is an elementary but useful fact. 

Lemma 4.3. Suppose that c + k < p and |C| < c. Let V be any hyperplane 
of¥ d+1 . Then, there exist k distinct hyperplanes parallel or equal to V and 
not meeting C. 

Proof. Each hyperplane has p d elements, and each x G Fp +1 lies in a unique 
hyperplane that is parallel to V. It follows that there are p hyperplanes 
parallel or equal to V; since c + k < p, at least k of them do not meet C. □ 
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Lemma 4.4. Let E be any subset of¥^ +1 such that k\E\ <p and let X be a 
set of at most k points such that X D E = 0. 

Then, there is a hyperplane V such that (xj + V) fl E = for all i < k. 

Proof. We will prove the more general claim that if E is any subset of F^ +1 
such that 



k\E\ < 



p-1 

and X = {x 1: . . . , x k } is a set of at most k points such that X fl E = 0, then 
there is an e-dimensional subspace V of F^ +1 such that (xj + V) fl E = for 
all i < k. The lemma follows by setting e = d and noting that 

pd-d+2 _ 1 p 2_ l 

1 — = — r =p + L 

p — l p — l 

Suppose that X C {xi, . . . , x^}. We proceed to build V by induction on 
e. The base case, when e = 0, is trivial (just take V = {0}). 
For the inductive step, assume that 

„<2-(e+l)+2 _ i n d-e+2 _ i 

k\E\ < < p 



p — 1 p — 1 

Then, by induction hypothesis there is an e-dimensional subspace V such 
that for all i < k, (xj + V) fl E — 0. Let us construct an e + 1-subspace 
V DV' with the same property. 

Let T be the set of all (e + l)-dimensional subspaces U such that V C [/. 
Each [/ is of the form (u, V) for some -u ^ V. Hence there are 

pd+l _ pe pd-(e+l)+2 _ -y 
pe+1 _ pe p — 1 

values that U may take; this is because u may take p d — p e different values, 
but given u we have that u + V — w + V if and only if w G (u + V) \ V , 
and there are p e+l — p e such w. 

Meanwhile, if U ^ W G T then [/ fl W — V , from which it follows that, 
given i < k, E is the disjoint union of all sets of the form (xj + U) H E with 
U E T. We conclude that for each i < k, there are at most values of 
U G T such that (xj + [/) fl E ^ 0, and hence there are at most k\E\ values 
of U G T such that there exists « < with (x, + U) fl -E 1 ^ 0. But 

pd-(e+l)+2 _ j 



k\E\ < 



p-1 
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so there is U* G T such that (xi + U*) C\ E = for all i < k and we choose 
V = U.. □ 

With this, we may prove that our protocol is safe. 

Lemma 4.5. Assume that a,b,c,p,d,k are such that p is a prime power, 
a = kp d , a + b + c = p d+1 and further ^ holds. 

Then, the geometric protocol with parameters p, d, k is k-safe for (a, b, c). 

Proof. Suppose that the deal (A, B, C) is given and Alice has announced 
A = A k \f]e<y(A). 

Choose a set X C D that has at most k elements with X R C = 0. By 



Lemma [44 , there is a d-dimensional subspace V such that (x+V)(lf(C) = 
for all x G f{X). Let A' v . . . , A' m be all sets of the form x + V with x G f{X); 
we know that m < k, but note that it may be the case that m < k. However, 



in view of Lemma |4.3[ there are at least k different hyperplanes parallel 
or equal to V and not meeting f(C) and thus we may pick A' m+l , . . . ,A' k 
parallel or equal to V but distinct from A i for i < m. Setting A' = |Ji=i ^% 
we see that A' G A is a /c-slicing containing X and not meeting f{C), so that 
f-\A) G A k [f] and f-\A') n C = 0, as required. 

Meanwhile, to find an element of >4a;[/] not containing X and not meeting 
C, it suffices to find a fc-slicing A" not containing any fixed x G f(X) and 
not meeting f{C). Choose any y G f{C) and any (i-dimensional subspace W 



such that x — y G W 7 . Once again use Lemma 4.3 to pick A", . . . , A' k parallel 



or equal to W and not meeting /(C) and set A" = U i=1 A'/. Then, A" is a 
fc-slicing not meeting f(C) U {x}, which means that f~ 1 (A") does not meet 
C and does not contain X, as required. □ 

Our main result is now immediate: 



Proof of Theorem \4-l\ Suppose a, b, c,p, d, k satisfy ([T]) and Note that by 



(|2]), c+k < p and thus c < p d ; it follows that c < min{p d , kp d — k 2 p d 1 }. Then 



by Lemma 4.2, the geometric protocol is informative, whereas by Lemma 4.5 



it is fc-safe. □ 



5 Computing parameters 



Theorem |4.1| gives general conditions under which the geometric protocol 
works, but it is perhaps not obvious how to find suitable parameters or even 
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that many exist. In this section we shall flesh out more specific consequences 
of this result, showcasing its usefulness in solving many new instances of 
the Russian cards. We remark, however, that the bounds we give here are 
not meant to be exhaustive; the different parameters can be chosen in many 
other ways to obtain solutions for deals of different sizes. 

First let us give a simplified version of Q, which will be easier to work 
with: 

Lemma 5.1. Given natural numbers p, k > 1 we have that kp d — k 2 p d ~ x > 
if and only if k e [l,p — 1], in which case kp d — k 2 p d ~ x > p d — p d ~ x . 

Proof. The function kp d — k 2 p d ~ x is concave on k and kp d — k 2 p d ~ l = when 
k = or k = p. It follows that, for natural k, kp d — k 2 p d ~ l > if and only if 
1 < k <p - 1. 

Now, when k = 1 we have that kp d — k 2 p d ~ x = p d — p , and similarly 
when k = p — 1, from which it follows once again by concavity that kp d — 
k 2 p d - 1 >p d - p d ~ l for all k e [l,p- 1]. □ 

Before we continue, let us mention a simple number-theoretic observation 
which will nevertheless be very useful: 

Lemma 5.2. Given n > 1 there exists a prime power p such that n < p < 2n. 

Proof. Choose £ to be the unique integer such that n < 2 e < 2n and set 
p = 2 l . □ 

Now for the main result of this section. In order to give a uniform bound 
we shall use the fact that for all k, c > 1 we have that max{fc+c, kc} < kc+1. 

Theorem 5.1. Given k,c>l. Then, the geometric protocol is informative 
and k-safe for (a, b, c) for infinitely many values of a, b with b < 2a(c + 1). 
The smallest such value of a is at most 2k(kc + 1). 



Proof. As before, it suffices to check that all conditions of Theorem |4. 1| may 
be satisfied for appropriately chosen parameters. 



Fix k > 1 and c > 0. Use Lemma 5.2 to find a prime power p such that 
kc + 1 < p < 2{kc + 1). Given d > 1, set a — kp d and b = p d+1 — a — c. 

First we observe that if d — 1, a = kp < 2k(kc + 1). Note that b < ^ < 
2a(c + 1) independently of d. 
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that 



To see that condition pi) holds, it suffices in view of Lemma 5.1 to observe 



c < p - 1 < p d 1 {p - 1) = p d - p" 

Meanwhile, condition ^ holds by the way we chose p. 

It follows from Theorem 4T that the geometric protocol is informative 
and fc-safe for (a, b, c), as claimed. □ 



6 Conclusions and future work 

The generalized Russian cards problem, aside from being interesting from 
a purely combinatorial perspective, provides a prototypical case-study for 
information- based cryptography [10]. This alternative paradigm is based on 
the impossibility, rather than the improbability, of encrypted messages be- 
ing intercepted. Information-based cryptography has the advantage over 
probability-based cryptography that it does not depend on eavesdroppers' 
computational resources or, for example, the assumption that P ^ NP. How- 
ever, such methods are less developed, and for good reason, as the demand 
that protocols be unconditionally secure is rather strong. Also, they depend 
on a prior phase of key-distribution ('dealing the cards') by some central au- 
thority, that is assumed to be perfectly secure. Nevertheless, solutions to the 
generalized Russian cards problem could very well lead, directly or indirectly, 
to applications in information-theoretic methods of secure communication. 

In this paper we have given improved bounds for the tuple (a, b, c) to have 
an informative and fc-safe solution. The notion of A;-safety was originally 
considered by Stinson and Swanson in [14] . where fc-safe protocols are given 
for many cases where Cath has one card. Perhaps the main contribution of 
the present work is that the protocol we present gives the first fc-safe solutions 
for c > 1. 

Stinson and Swanson also introduce perfect security. This strengthened 
notion of security may yet be extended to many new cases, for in the methods 
we propose (and most that are available in the literature), there is no guaran- 
tee that Cath does not learn additional probabilistic information. It may be 
possible to amend the geometric protocol to achieve either perfect security 
or, more likely, an approximate variant, where the probabilistic information 
that Cath learns is minimal. 

Finally, the authors have presented in [5] a method which allows Cath 
to have more cards than Alice, which we call the colouring protocol. It is 
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known that such a protocol must have more than two steps; ours has four. In 
principle, the present geometric protocol may be combined with the colouring 
protocol to give fc-safe solutions when Cath has many more cards than Alice, 
although the combinatorial analysis is likely to be rather challenging. 

These are possible avenues to explore in future work; however, the Russian 
cards problem allows for a large degree of freedom and it may very well be 
that entirely new and better methods shall be developed to obtain more 
efficient and secure protocols. 
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